restrict deletion of wiki pages, re #4490

Merge request studip/studip!3285

app/controllers/course/wiki.php

@@ -164,6 +164,7 @@ class Course_WikiController extends AuthenticatedController
                     Icon::create('settings'),
                     ['data-dialog' => 'width=700']
                 );
+                if ($this->page->isDeletable()) {
                     if (count($this->page->versions) > 0) {
                         $action_menu->addLink(
                             $this->ask_deletingURL($this->page),
@@ -180,6 +181,7 @@ class Course_WikiController extends AuthenticatedController
                         );
                     }
                 }
+            }
             $this->contentBarVueApp = $this->contentBarVueApp->withSlot('menu', $action_menu->render());
         }
 

app/views/course/wiki/ask_deleting.php

+<?php
+/**
+ * @var Course_WikiController $controller
+ * @var WikiPage $page
+ */
+?>
 <form action="" method="post">
     <?= CSRFProtection::tokenTag() ?>
     <div class="file_select_possibilities">
         <div>
+        <? if (count($page->versions) > 0 && $page->versions->first()->isDeletable()): ?>
             <div class="clickable">
-                <?= Icon::create('archive2')->asInput(50, [
-                    'formaction' => $controller->deleteversionURL($page, ['redirect_to' => 'page']),
-                    'data-confirm' => _('Wirklich die letzte Änderung löschen?')
-                ]) ?>
                 <button
-                    class="undecorated"
+                    class="as-link"
                     data-confirm="<?= _('Wirklich die letzte Änderung löschen?') ?>"
-                    formaction="<?= $controller->deleteversionURL($page, ['redirect_to' => 'page']) ?>">
+                    formaction="<?= $controller->deleteversionURL($page, ['redirect_to' => 'page']) ?>"
+                >
+                    <?= Icon::create('archive2')->asImg(50) ?>
                     <?= _('Nur die letzte Änderung löschen') ?>
                 </button>
             </div>
+        <? endif; ?>
+        <? if ($page->isDeletable()): ?>
             <div class="clickable">
-                <?= Icon::create('wiki')->asInput(50, [
-                    'formaction' => $controller->deleteURL($page),
-                    'data-confirm' => _('Wollen Sie wirklich die komplette Seite löschen?')
-                ]) ?>
                 <button
-                    class="undecorated"
+                    class="as-link"
                     data-confirm="<?= _('Wollen Sie wirklich die komplette Seite löschen?') ?>"
-                    formaction="<?= $controller->deleteURL($page) ?>">
+                    formaction="<?= $controller->deleteURL($page) ?>"
+                >
+                    <?= Icon::create('wiki')->asImg(50) ?>
                     <?= _('Ganze Wikiseite löschen') ?>
                 </button>
             </div>
+        <? endif; ?>
         </div>
     </div>
 </form>

lib/models/WikiPage.php

@@ -13,19 +13,23 @@
  *
  * @property int $id alias for pk
  * @property int $page_id database column
- * @property string $course_id database column
- * @property string|null $user_id database column
+ * @property string $range_id database column
  * @property string $name database column
  * @property string $content database column
- * @property string|null $ancestor database column
- * @property int|null $chdate database column
- * @property int $version database column
+ * @property string|null $parent_id database column
+ * @property string $read_permission database column
+ * @property string $write_permission database column
+ * @property string $user_id database column
+ * @property int|null $locked_since database column
+ * @property string|null $locked_by_user_id database column
  * @property int|null $mkdate database column
+ * @property int|null $chdate database column
+ *
  * @property User|null $user belongs_to User
  * @property Course $course belongs_to Course
  * @property WikiVersion[]|SimpleORMapCollection $versions
  * @property WikiOnlineEditingUser[]|SimpleORMapCollection $onlineeditingusers
- * @property-read WikiPage $parent additional field
+ * @property-read WikiPage|null $parent additional field
  * @property-read WikiPage[] $children additional field
  * @property-read WikiVersion|null $predecessor additional field
  * @property-read int $versionnumber additional field
@@ -179,16 +183,18 @@ class WikiPage extends SimpleORMap implements PrivacyObject
         if ($user_id === null && User::findCurrent()) {
             $user_id = User::findCurrent()->id;
         }
-        if ($GLOBALS['perm']->have_studip_perm(
-            'dozent',
-            $this->range_id,
-            $user_id
-        )) {
-            return true;
+
+        if (
+            !$user_id
+            || !$GLOBALS['perm']->have_studip_perm('user', $this->range_id, $user_id)
+        ) {
+            return false;
         }
+
         if ($this->write_permission === 'all') {
             return true;
         }
+
         if (in_array($this->write_permission, ['tutor', 'dozent'])) {
             return $GLOBALS['perm']->have_studip_perm(
                 $this->write_permission,
@@ -200,6 +206,37 @@ class WikiPage extends SimpleORMap implements PrivacyObject
         }
     }
 
+    public function isDeletable(?string $user_id = null): bool
+    {
+        if ($user_id === null && User::findCurrent()) {
+            $user_id = User::findCurrent()->id;
+        }
+
+        if (!$user_id) {
+            return false;
+        }
+
+        $permission  = $this->write_permission;
+        if ($permission === 'all') {
+            $permission = 'tutor';
+        }
+
+        if (
+            in_array($permission, ['tutor', 'dozent'])
+            && $GLOBALS['perm']->have_studip_perm(
+                $this->write_permission,
+                $this->range_id,
+                $user_id
+            )
+        ) {
+            return true;
+        }
+
+        return $this->user_id === $user_id
+            && $this->versions->every(function (WikiVersion $version) use ($user_id): bool {
+                return $version->user_id === $user_id;
+            });
+    }
 
     /**
      * Export available data of a given user into a storage object

lib/models/WikiVersion.php

@@ -13,11 +13,19 @@
  * @license     http://www.gnu.org/licenses/gpl-2.0.html GPL version 2
  * @category    Stud.IP
  *
- * @property string page_id       database column
- * @property string id            alias column for user_id
- * @property string last_lifesign computed column read/write
+ * @property int $id alias column for user_id
+ * @property int $version_id database column
+ * @property int $page_id database column
+ * @property string $name database column
+ * @property string $content database column
+ * @property string $user_id database column
+ * @property int $mkdate database column
  *
  * @property WikiPage $page
+ * @property User $user
+ * @property WikiPage|null $predecessor
+ * @property WikiPage|null $successor
+ * @property int|null $versionnumber
  */
 class WikiVersion extends SimpleORMap
 {
@@ -63,4 +71,33 @@ class WikiVersion extends SimpleORMap
         ];
         parent::configure($config);
     }
+
+    public function isDeletable(?string $user_id = null): bool
+    {
+        if ($user_id === null && User::findCurrent()) {
+            $user_id = User::findCurrent()->id;
+        }
+
+        if (!$user_id) {
+            return false;
+        }
+
+        if ($this->user_id === $user_id) {
+            return true;
+        }
+
+        $permission = $this->page->write_permission;
+        if ($permission === 'all') {
+            $permission = 'tutor';
+        }
+
+        return in_array($permission, ['tutor', 'dozent'])
+            && $GLOBALS['perm']->have_studip_perm(
+                $this->page->write_permission,
+                $this->page->range_id,
+                $user_id
+            );
+
+
+    }
 }

resources/assets/stylesheets/scss/files.scss

@@ -126,6 +126,12 @@ div.file_select_possibilities,
                 margin-left: auto;
                 margin-right: auto;
             }
+
+            button img {
+                display: block;
+                margin-left: auto;
+                margin-right: auto;
+            }
         }
 
         > .important-item {